Cut-price phishing toolkits pose growing threat

The marketplace for phishing toolkits, which can allow technophobe criminals to quickly and easily set up spoofed versions of banking Web sites, is booming, with kits changing hands for as little as $30 (£16.15).

Although phishing kits are nothing new, over the past year their quantity and quality have increased dramatically, according to Dan Hubbard, who is vice president of security research for Websense and a representative of the Anti-Phishing Working Group.

"[Phishing kits] have been around for years but the volume is one of the big changes… the kits available are better designed," Hubbard said in a telephone interview last week.

"The kit makers publish and test against signature detection as part of their advertising portfolio — 'not detected by antivirus, not detected by heuristics, not detected by signatures'."

Hubbard said that software developers were creating the kits in partnership with "traditional" criminals who want to start a new business in the online world.

"A lot of the 'traditional' criminals are good at getting dollars back for the [stolen] credentials. You also have your security programmer guy — who probably isn't as good at monetising these assets. The two working together make a scary combination," said Hubbard.

According to the Websense Security Trends Report for the first half of 2006, which was published earlier this month, phishing toolkits sell for between $30 and $3,000, depending on their sophistication, ease of use and their ability to defeat anti-phishing technologies.

The more expensive kits even come equipped with exploit codes that take advantage of newly discovered — or even unknown — browser vulnerabilities to make it easier to hook victims.

"When a new vulnerability comes out they are on it right away and in some cases they are actually either buying zero day vulnerabilities and exploit code or creating them themselves," Hubbard said.

"They use exploit code within a browser to get something on your machine, which in turn looks for behaviours from the end user and then steals credentials."

Finding the phishHubbard said that sites created by some common phishing kits were easy to spot because the kit used a similar design for every fraudulent site it created. However, with the more expensive kits, unique site designs are generated for each user.

"The obfuscation techniques they use are very difficult to detect with antivirus because JavaScript can be tuned, changed on the fly and every user can have a different version of the content," Hubbard said.

"[With a kit like] Webattacker, for example, every single person that installs it has their own personal version and each user that connects to the Web site — depending on their browser — is served up with their own exploit code. There is no consistency with regards to heuristics."